b"U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n            UNITED STATES PATENT\n           AND TRADEMARK OFFICE\nAdditional Senior Management Attention\n         Needed to Strengthen USPTO\xe2\x80\x99s\n           Information Security Program\n      Final Inspection Report No. OSE-14816/March 2002\n\n\n\n\n                          PUBLIC\n\n                         RELEASE\n\n\n\n\n\n                            Office of Systems Evaluation\n\n\x0cU.S. Department of Commerce                                                                    Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                                                           March 2002\n\n\n\n\n                                                             CONTENTS \n\n\nEXECUTIVE SUMMARY ............................................................................................................ ii\n\n\nINTRODUCTION .......................................................................................................................... 1 \n\n\nBACKGROUND ............................................................................................................................ 2 \n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY........................................................................ 6 \n\n\nFINDINGS AND RECOMMENDATIONS................................................................................... 8 \n\nI. Information Security Policies and Procedures Are Formal and Documented ........................ 8 \n\nII.\t Key Management Controls Are Not Fully Implemented........................................................ 8 \n\n      A. \t Risk Assessments Have Not Been Completed................................................................ 8 \n\n      B.\t Security Plans Are Outdated........................................................................................... 9 \n\n      C.      Systems Are Not Accredited....................................................................................... 9 \n\n      D. \t Information Policies and Security Controls Are Not Periodically Reviewed............... 10 \n\n      E. \t USPTO Needs to Determine Whether It Has a Potential Material Weakness.............. 10 \n\nIII.\t Key Operational Controls Are Not Fully Implemented........................................................ 13 \n\n      A. \t Information Security Awareness, Training, and Education Are Inadequate ................ 13 \n\n      B.\t Incident Response Reporting And Handling Procedures Need To Be Revised ........... 14 \n\nIV.\t Information Security Requirements Should Be Identified in Capital Asset Plans ............... 15 \n\n      and Linked to Security Cost Estimates ................................................................................. 15 \n\nV. \t Information Security Could Be Improved by Proactive Attention ....................................... 17 \n\n      from Senior Management ..................................................................................................... 17 \n\nAPPENDIX A............................................................................................................................... 19 \n\n\nAPPENDIX B ............................................................................................................................... 21 \n\n\nATTACHMENT A ....................................................................................................................... 22 \n\n\n\n\n\n                                                                      i\n\x0cU.S. Department of Commerce                                                 Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                                        March 2002\n\n\n                                       EXECUTIVE SUMMARY \n\n\nUSPTO\xe2\x80\x99s day-to-day operations grow increasingly dependent on information technology\xe2\x80\x94\npatent and trademark applications are filed, fees are paid, and some USPTO employees telework\nelectronically via the Internet, just to cite a few. These advances promise to improve delivery of\nUSPTO services, but they also increase the risk to and vulnerability of USPTO\xe2\x80\x99s computer\nsystems and networks. Greater access escalates the risk of unauthorized access and exposure of\nUSPTO\xe2\x80\x99s data to unauthorized disclosure or modification.\n\nThe objective of our evaluation was to determine whether USPTO\xe2\x80\x99s information security\nprogram for unclassified systems complies with the Government Information Security Reform\nAct (GISRA), which mandates that federal agencies have effective security for the information\nresources supporting their operations and assets. Using NIST\xe2\x80\x99s Security Self-Assessment Guide\nfor Information Technology Systems,1 as recommended by OMB, we evaluated USPTO\xe2\x80\x99s\ninformation security policies and procedures, roles and responsibilities, and adherence to\napplicable laws, regulations, and guidance.\n\nUnder GISRA, information security is the responsibility of agency senior management\xe2\x80\x94the\nagency head, senior agency officials, and the Chief Information Officer (CIO). Each agency\nhead is charged with ensuring the security of information and information systems by promoting\nsecurity as an integral component of that agency\xe2\x80\x99s business operations.\n\nWe found that although USPTO generally has documented policies and procedures in place that\nare consistent with accepted security practices, many other important security requirements are\nnot satisfied. Our findings suggest that information security has not yet become an integral part\nof USPTO\xe2\x80\x99s business operations; therefore, fundamental responsibilities are frequently not\ncarried out. In its GISRA reporting to OMB for fiscal year 2001, we are concerned that USPTO\nsubstantially overestimated the quality of its security program and presented unrealistic\nexpectations for improvement for this year and next. Moreover, it should be noted that we have\nidentified strengthening information security as a top 10 management challenge for the\nDepartment. Although the American Inventors Protection Act of 1999 (P.L. 106-113) recast\nUSPTO as a performance-oriented organization, giving it substantial autonomy and\nindependence from the Department, this challenge applies to USPTO as well.\n\nOur evaluation found the following issues:\n\n\xef\xbf\xbd\xef\xbf\xbd\t Eighty-two percent of USPTO\xe2\x80\x99s 78 operational systems do not have documented risk\n    assessments, 30 percent of its security plans are outdated, and none of its operational systems\n    have a current accreditation as required by OMB Circular A-130. Lack of accreditation\n    means that USPTO management has not officially authorized any of these systems for use.\n    Moreover, USPTO officials do not conduct periodic reviews of information policies and\n\n\n1\n National Institute of Standards and Technology, August 2001. Security Self-Assessment Guide for Information\nTechnology Systems NIST Special Publication 800-26. Gaithersburg, MD: National Institute of Standards and\nTechnology.\n\n\n\n                                                       ii\n\x0cU.S. Department of Commerce                                          Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                                 March 2002\n\n\n   security controls and techniques. As a result of these problems, USPTO lacks assurance that\n   its operational systems are adequately protected. (See page 8.)\n\n\xef\xbf\xbd\xef\xbf\xbd\t USPTO provides information security-awareness training to new employees, but does not\n    have a program to provide adequate training and education to personnel who need\n    specialized security skills and competencies. Thus, USPTO cannot ensure that employees\n    who have significant security responsibilities understand or apply effective information\n    security practices. (See page 13.)\n\n\xef\xbf\xbd\xef\xbf\xbd\t USPTO\xe2\x80\x99s incident response procedures do not include any requirement to report incidents to\n    the General Services Administration\xe2\x80\x99s Federal Computer Incident Response Center or to\n    OIG. Such reporting is required by GISRA and OMB guidance. In addition, incident\n    reporting is a valuable tool that aids the federal government in recognizing and detecting\n    intrusions and securing its information systems. (See page 14.)\n\n\xef\xbf\xbd\xef\xbf\xbd\t USPTO\xe2\x80\x99s funding requests for information security do not appear to be based on a thorough\n    analysis of its security needs or the cost of satisfying them. Even though OMB stated it will\n    not approve funding for projects that do not include the cost of meeting security\n    requirements, USPTO did not identify costs for these requirements in its fiscal year 2002 or\n    2003 budget submissions. If challenged by OMB, USPTO will not be able to justify the\n    funding it requested to plan and implement needed security improvements. (See page 15.)\n\n\xef\xbf\xbd\xef\xbf\xbd\t Although essential to establishing the environment and ensuring the resources needed to\n    promote an effective information security program, senior management\xe2\x80\x99s awareness and\n    support of this program are minimal and its proactive involvement is absent. Because\n    USPTO\xe2\x80\x99s information security needs have not received adequate attention by senior\n    management, significant weaknesses exist in its information security planning, budgeting,\n    implementation, review, and oversight. (See page 17.)\n\nWe made numerous recommendations for improving information security at USPTO (see pages\n11, 12, 15, 16, and 18). Most importantly, we recommend that the Under Secretary of\nCommerce for Intellectual Property and Director of USPTO ensure that senior management\nofficials give information security high priority, sufficient resources, and their personal attention\nand that they work closely with the CIO to improve information security at USPTO (see page\n18).\n                                                 \xef\xbf\xbd\nUSPTO agreed with all of our recommendations and has described corrective actions it is taking\nor has planned (see Attachment). We have included a synopsis of USPTO\xe2\x80\x99s response and, where\nappropriate, our comments on its response.\n\nAs regards accreditation, USPTO indicated that whether it can complete system accreditations\naccording to the timetable we recommend depends on the resources required and their\navailability (see page 23). Because of the importance of accreditation in ensuring that\noperational systems are adequately protected, when allocating resources, we urge USPTO to give\nthis matter high priority. USPTO also sought clarification on incident reporting procedures (page\n\n\n                                                 iii\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                              March 2002\n\n\n25) and the acceptability of reporting incidents to the Department, which would then relay the\ninformation to FEDCIRC. The OIG accepts this as a suitable approach.\n\nUSPTO\xe2\x80\x99s response to the Draft Inspection Report is included as Attachment A.\n\n\n\n\n                                               iv\n\x0cU.S. Department of Commerce                                              Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                                     March 2002\n\n\n                                          INTRODUCTION \n\n\nOn October 30, 2000, the President signed into law the Government Information Security\nReform Act (GISRA), Title X, subtitle G, of the 2001 Defense Authorization Act (P.L. 106-398).\nThe law amends the Paperwork Reduction Act of 1995 by enacting a new subchapter on\ninformation security, which primarily addresses managing, implementing, overseeing, and\nensuring the security of unclassified and national security information systems.\n\nUnder GISRA, information security is the responsibility of agency senior management\xe2\x80\x94the\nagency head, senior line managers, and the Chief Information Officer (CIO). Appropriate senior\nofficials are responsible for assessing security risks associated with operations and assets for the\nprograms and systems over which they have control. Each agency head is charged with ensuring\nthe security of information and information systems by promoting security as an integral\ncomponent of that agency\xe2\x80\x99s business operations. Each is also charged with ensuring that an\ninformation security plan to safeguard the privacy, confidentiality, and security of federal\ninformation is carried out throughout the life of each system.\n\nThe agency CIO is required to administer the information security program agency-wide. This\nincludes developing the security program, ensuring that the program is effectively implemented\nand maintained, training and overseeing personnel with significant responsibilities for\ninformation security, and assisting other senior agency officials with their information security\nresponsibilities.\n\nGISRA also requires all federal agencies to perform annual reviews of their security programs\nand the Office of Inspector General (OIG) for each agency to conduct independent evaluations.\nThis report presents the results of our independent evaluation of the U.S. Patent and Trademark\nOffice (USPTO) information security program as required by GISRA.\n\nThis draft report presents the results of our evaluation of USPTO\xe2\x80\x99s information security policies\nand procedures as they apply to USPTO entitywide. A separate report that OIG recently provided\nto USPTO presents a review of the adequacy and effectiveness of the general controls related to\nthe integrity, confidentiality, and availability of information specifically associated with\nUSPTO\xe2\x80\x99s financial systems, which is required as part of the audit of USPTO\xe2\x80\x99s financial\nstatements.2 A review of the security of selected non-financial information systems will be\nconducted separately.\n\nOur evaluation was conducted in accordance with the Quality Standards for Inspections issued\nby the President\xe2\x80\x99s Council on Integrity and Efficiency and was performed under the authority of\nthe Inspector General Act of 1978, as amended, and Department Organization Order 10-13,\ndated May 22, 1980, as amended.\n\n\n\n\n2\n US Department of Commerce, Office of Inspector General, February 2002. Improvements Needed in the General\nControls Associated with USPTO\xe2\x80\x99s Financial Management Systems, Audit Report No. FSD-14477-2-0001.\nWashington, DC: US Department of Commerce..\n\n\n                                                     1\n\n\x0cU.S. Department of Commerce                                             Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                                    March 2002\n\n\n\n\n                                          BACKGROUND\n\nAt USPTO, information technology increasingly supports day-to-day operations. Greater\nreliance on the Internet is evidenced by the increasing numbers of clients electronically filing\npatent and trademark applications and paying fees and by the larger number of USPTO\nemployees who use the Internet to communicate for purposes of teleworking. Although these\nadvances promise to improve USPTO\xe2\x80\x99s ability to deliver services, they expose the agency\xe2\x80\x99s\ncomputer systems and networks to a greater risk of unauthorized access and increase the\npossibility of unauthorized disclosure or modification of USPTO data. Cost-effective security\nmeasures are required to protect USPTO\xe2\x80\x99s information assets.\n\n\nUSPTO\xe2\x80\x99s Allocation of Information Security Responsibilities\n\nMany offices within USPTO have information security responsibilities (The shaded boxes in\nFigures 1 and 2 indicate the offices discussed in this report that share responsibility for\ninformation security.) Some key responsibilities are described here; other roles and\nresponsibilities are presented in Appendix A.\n\n\n                                             Under Secretary of         United States Patent and Trademark Office\n                                          Commerce for Intellectual     High-Level Organizational Structure\n                                         Property and Director of the\n                                           United States Patent and\n                                              Trademark Office\n\n\n\n                     Commissioner                                          Commissoner\n                         for                                                    for\n                       Patents                                              Trademarks\n\n\n\n\nChief Financial      Administrator for                                     Administrator for      Chief Information\n   Officer                                    General Counsel             Quality Management           Officer\n                      External Affairs\n                                                                             and Training\n\n\nFigure 1. Responsibilities for Information Security\n\nThe Under Secretary of Commerce for Intellectual Property and Director of the United States\nPatent and Trademark Office determines the policies, directs the programs, and is responsible for\nall activities of USPTO. The Under Secretary is also ultimately responsible for approving all\ninformation technology strategies and initiatives and has the overall responsibility of ensuring\nthe confidentiality, integrity, and availability of information systems and assets.\n\n\n\n                                                    2\n\n\x0cU.S. Department of Commerce                                                        Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                                               March 2002\n\n\n\n\nThe Commissioner for Patents provides administrative and policy direction to patent examining\ngroups and related operations and validates functional requirements, including security\nrequirements. The Commissioner for Trademarks has the same responsibilities with regard to\ntrademark examination.\n\nThe USPTO CIO approves information security policies and procedures and also is the principal\nadvisor to the Under Secretary on the application of information technology to support and\nimprove USPTO business processes and information.\n\n\n\n\n     Chief Information\n          Officer\n\n\n\n\n      Deputy CIO for      Office of System   Office of System\n                                                                       Office of Data        Office of Acquisition\n         System           Architecture and   Development and\n                                                                        Managment                Management\n       Modernization        Engineering        Maintenance\n\n\n\n\n      Deputy CIO for                          Office of                                   Office of\n                             Office of                          Office of System\n        Information                          Information                                 Information\n                             Customer                            and Network\n    Technology Services                        Systems                                  Dissemination\n                          Support Services                        Management\n                                               Security                                    Services\n\n\n\n    Office of System\n       Assurance\n\n\n\n\n      Office of\n    Public Records\n\n\n\n\nFigure 2. Office of the Chief Information Officer\n\nThe Deputy CIO for System Modernization provides the CIO with system support for system\narchitecture and engineering and for system development and maintenance. This official is\nresponsible for ensuring that security is designed into each information system. This is\naccomplished by assigning a system development manager from this organization to each system\nbeing developed or acquired.\n\nThe Deputy CIO for Information Technology Services provides support to the CIO in the areas\nof technical support services, system and network management, and information dissemination.\nThis position also provides administrative and policy oversight for the Office of Information\nSystems Security (OISS).\n\n\n\n\n                                                      3\n\n\x0cU.S. Department of Commerce                                                     Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                                            March 2002\n\n\nThe Information Systems Security Officer manages the OISS and provides for the\nimplementation, operation, and maintenance of an enterprise-wide information technology\ninfrastructure security program. This position is also responsible for\n\n      \xef\xbf\xbd\xef\xbf\xbd\t providing computer security consulting services to USPTO organizations;\n\n      \xef\xbf\xbd\xef\xbf\xbd\t providing support for computer security training for end users and developers;\n\n      \xef\xbf\xbd\xef\xbf\xbd\t conducting informal or formal compliance audits regarding requirements of OMB\n\n          Circular A-130, the Computer Security Act, and other policies and laws; and \n\n\n      \xef\xbf\xbd\xef\xbf\xbd\t leading technical development projects regarding the building and maintenance of the\n          USPTO computer security infrastructure.\n\nThe Information Systems Security Officer is also responsible for public key infrastructure\nimplementation, operations, and maintenance.3\n\nUSPTO\xe2\x80\x99s Fiscal Year 2001 GISRA Reporting\n\nAs noted previously, GISRA requires annual agency security program reviews in addition to\nannual OIG independent evaluations. As a result of the greater independence and flexibility\nallowed USPTO by the American Inventors Protection Act of 1999 (P.L. 106-113), USPTO\nsubmitted its fiscal year 2001 information security review separate from the Department\xe2\x80\x99s. In\nconducting its fiscal year 2001 review, USPTO used NIST\xe2\x80\x99s Security Self-Assessment Guide for\nInformation Technology Systems,4 (see Table 1 for control areas), which was recommended by\nOMB. The NIST guide builds on the Federal Information Technology Security Assessment\nFramework (Framework),5 which provides agency officials with a method for determining the\ncurrent status of their security programs relative to existing policy and, where necessary,\nestablishing a target for improvement. The Framework establishes five levels of information\nsecurity program effectiveness (Figure 3). Each level identifies the implementation steps that\nmust be taken to achieve that particular assessment level.\n\nBased on its self-assessment, USPTO reported that tested and reviewed information security\nprocedures and controls were in place for all of its systems. That is, USPTO rated itself at level 4\nunder the Framework, stating, \xe2\x80\x9cWith current funding levels, USPTO will meet 75 percent of\nlevel 5 compliance of GISRA at the end of FY 2002. However, we expect to achieve 100 percent\ncompliance by the end of FY 2003.\xe2\x80\x9d\n\n\n3\n A public key infrastructure enables users of a basically unsecure public network such as the Internet to securely\nand privately exchange data and money through the use of a public and a private cryptographic key pair that is\nobtained and shared through a trusted authority.\n4\n National Institute of Standards and Technology. August 2001. Security Self-Assessment Guide for Information\nTechnology Systems, NIST Special Publication 800-26. Gaithersburg, MD: National Institute of Standards and\nTechnology. (August 2001).\n5\n    The framework is Appendix C of the NIST Security Self-Assessment Guide.\n\n\n                                                          4\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                               March 2002\n\n\nTable 1. NIST Security Control Areas\n\n  Management Controls              Operational Controls              Technical Controls\n\xef\xbf\xbd\xef\xbf\xbd Risk Management             \xef\xbf\xbd\xef\xbf\xbd Personnel Security              \xef\xbf\xbd\xef\xbf\xbd Identification and\n\xef\xbf\xbd\xef\xbf\xbd Review of Security          \xef\xbf\xbd\xef\xbf\xbd Physical Security                  Authentication\n   Controls                    \xef\xbf\xbd\xef\xbf\xbd Production Input/Output         \xef\xbf\xbd\xef\xbf\xbd Logical Access Controls\n\xef\xbf\xbd\xef\xbf\xbd Life Cycle                     Controls                        \xef\xbf\xbd\xef\xbf\xbd Audit Trails\n\xef\xbf\xbd\xef\xbf\xbd Certification and           \xef\xbf\xbd\xef\xbf\xbd Contingency Planning\n   Accreditation               \xef\xbf\xbd\xef\xbf\xbd Hardware and System Software\n\xef\xbf\xbd\xef\xbf\xbd System Security Plan           Maintenance\n                               \xef\xbf\xbd\xef\xbf\xbd Data Integrity\n                               \xef\xbf\xbd\xef\xbf\xbd Documentation\n                               \xef\xbf\xbd\xef\xbf\xbd Security Awareness, Training,\n                                  and Education\n                               \xef\xbf\xbd\xef\xbf\xbd Incident Response Capability\n\n\n\n\n               Level 1        Documented Policy\n               Level 2        Documented Procedures\n               Level 3        Implemented Procedures and Controls\n               Level 4        Tested and Reviewed Procedures and Controls\n               Level 5        Fully Integrated Procedures and Controls\n\nFigure 3. Federal IT Security Assessment Framework\n\nIn reviewing the information supporting the self-assessment, we found that USPTO merited an\noverall score of no more than level 2, and our independent evaluation results, presented in this\nreport, confirm this lower rating. Thus, our evaluation shows that in its reporting to OMB,\nUSPTO substantially overestimated the quality of its fiscal year 2001 security program and\npresented an expectation for 2002 and 2003 that is far from realistic.\n\n\n\n\n                                                 5\n\n\x0cU.S. Department of Commerce                                                   Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                                          March 2002\n\n\n                          OBJECTIVES, SCOPE, AND METHODOLOGY \n\n\nThe objective of this evaluation was to determine whether USPTO\xe2\x80\x99s information security\nprogram for unclassified systems complies with GISRA, which seeks to achieve effective\nsecurity for information resources supporting federal operations and assets. We satisfied this\nobjective by evaluating USPTO\xe2\x80\x99s information security policies and procedures, roles and\nresponsibilities, and adherence to applicable laws, regulations, and guidance. A review of\nselected information systems will be conducted separately.\n\nWe reviewed USPTO\xe2\x80\x99s information security policies and procedures using criteria in NIST\xe2\x80\x99s\nSecurity Self-Assessment Guide and the Federal IT Security Assessment Framework cited\nabove. The Framework establishes five levels (Figure 3) of security effectiveness and covers the\nthree major control areas identified by NIST (Table 1). We also used as criteria OMB Circular\nA-130, Appendix III, Security of Federal Automated Information Resources; the Computer\nSecurity Act of 1987; and GISRA.\n\nIn addition, we reviewed USPTO\xe2\x80\x99s self-assessments of information systems and security controls\nthat comprised its fiscal year 2001 GISRA submission, as well as its Strategic Information\nTechnology Plan for fiscal years 2001-2006. We interviewed USPTO officials including the\nCIO, the Deputy CIO for Information Technology Services, the Acting Director for the\nTechnical Plans and Policy Staff, the Acting Information Systems Security Officer, and the\nDirector of the Office of Systems and Network Management.\n\nWe held an entrance conference with USPTO on February 11, 2001. Our fieldwork was\nconducted from October through December 2001. On February 1, 2002, we met with the CIO\nand members of his staff to discuss the results of our evaluation. These officials generally agreed\nwith our findings and discussed steps that they are taking or have planned to improve\ninformation security at USPTO. These steps include:\n\n    \xef\xbf\xbd\xef\xbf\xbd\t Certification and accreditation.6 The CIO is obtaining contractor support to refine and\n        finalize the certification and accreditation process, train USPTO personnel to use the\n        process, and apply it to USPTO systems and networks.\n\n    \xef\xbf\xbd\xef\xbf\xbd\t Office of Information Systems Security. The CIO is planning a reorganization of this\n        office designed to improve security by separating responsibilities for security policy\n        compliance from security operations.\n\n    \xef\xbf\xbd\xef\xbf\xbd\t Security Technology Working Group. The CIO has established a security working\n        group whose objectives are to develop information security technical and policy expertise\n        and apply it to systems and infrastructure projects, to select security standards and\n        products, and to implement security from an enterprise perspective.\n\n\n\n6\n Certification is the formal testing of the security safeguards implemented in a computer system to determine\nwhether they meet applicable requirements and specifications. Accreditation is the formal authorization by\nmanagement for system operation, including an explicit acceptance of risk.\n\n\n                                                         6\n\n\x0cU.S. Department of Commerce                                      Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                             March 2002\n\n\n   \xef\xbf\xbd\xef\xbf\xbd\t Identification of specific internal security weaknesses. The CIO is obtaining contractor\n       support to perform firewall zone vulnerability scans, assess computer virus protection,\n       and recommend improvements.\n\nThese steps address a number of the issues we identified in our evaluation and, when\nimplemented, should help to improve the security of USPTO information assets.\n\n\n\n\n                                               7\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                                March 2002\n\n\n\n                          FINDINGS AND RECOMMENDATIONS\n\n\nI.       Information Security Policies and Procedures Are Formal and Documented\n\nKey to managing information security is establishing and implementing formal, documented\nsecurity policies\xe2\x80\x94the primary mechanism by which management communicates its views and\nrequirements and establishes cost-effective organizational and system security controls. A sound\npolicy delineates the security management structure, clearly assigns security responsibility, and\nlays the foundation necessary to reliably measure progress and compliance.\n\nUSPTO\xe2\x80\x99s Technical Standards and Guidelines (TSG) Program includes formal and documented\nsecurity policies and procedures. Two TSGs form the foundation of USPTO\xe2\x80\x99s information\nsystems security program: (1) Automated Information System Security Planning, Technical\nStandard and Guideline USPTO IT-212.2-08 (August 2000) and (2) Automated Information\nSystem Security Controls Manual, Technical Standard and Guideline USPTO IT-212.2-15,\n(September 2000). These documents cover the three NIST-identified major areas of control:\nmanagement, operational, and technical (Table 1). The policies and procedures the TSGs\nprescribe are consistent with accepted practices and generally adhere to applicable laws,\nregulations, and guidance governing information systems security.\n\nWe did, however, find one omission: there is no provision in the policy for identifying\ninformation security deficiencies that may potentially be a material weakness, in accordance with\nOMB Circular A-123, Management Accountability and Control, and the Federal Manager\xe2\x80\x99s\nFinancial Integrity Act (FMFIA) and for bringing such deficiencies to the attention of the\nDepartment, as required by Department guidance. Failure to identify significant information\nsecurity deficiencies results in sustained vulnerability and prolonged risk. (This topic is\ndiscussed further in Finding II.)\n\nII.    Key Management Controls Are Not Fully Implemented\n\nDespite the fact that USPTO has formal documented policies, key management controls are not\nfully implemented: required risk assessments have not been completed, security plans are\noutdated, and management has not accredited operational systems, accreditation being the formal\nauthorization by management for operational use.\n\nA.     Risk Assessments Have Not Been Completed\n\nGISRA requires program officials to determine and assess the risks to the operations and assets\nover which they have control. OMB Circular A-130 no longer requires agencies to prepare\nformal risk analyses but does require them to use a risk-based approach to determine adequate\nsecurity. This means security must be commensurate with the risk and magnitude of potential\nharm resulting from the loss, misuse, or unauthorized access to or modification of information.\nRisk assessments should incorporate the major factors in risk management: value of the system\nor application, possible costs of enacted threats or exploited vulnerabilities, and the effectiveness\nof current or proposed safeguards. Assessing risk to a system is an ongoing necessity, ensuring\n\n\n\n                                                  8\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                               March 2002\n\n\nthat new threats and vulnerabilities are identified so appropriate security measures can be\nimplemented.\n\nAccording to USPTO's Automated Information System (AIS) Security Planning TSG, the\nInformation System Security Officer in coordination with the System Development Manager, is\nresponsible for performing or contracting for risk assessments for USPTO\xe2\x80\x99s information systems.\nThe TSG also provides guidance and a sample template for preparing risk assessments.\n\nWe found that there are no documented risk assessments for 64 of USPTO\xe2\x80\x99s 78 operational\nsystems, fully 82 percent. Without risk assessments, USPTO cannot comprehensively analyze\nrisks to its operational systems and therefore lacks a basis for determining what the appropriate\nsecurity controls should be.\n\nB.     Security Plans Are Outdated\n\nA system security plan provides an overview of the security requirements of the system and\ndescribes the controls in place or planned for meeting those requirements. It also delineates\nresponsibilities and expected behavior of all individuals who access the system. The security\nplan should be reviewed annually and revised as needed to ensure that security controls can\nhandle significant changes to the system as well as rapidly changing threats.\n\nAt USPTO, the project manager, who represents the business area that will use the system, is\nresponsible for preparing and maintaining the information system security plan throughout the\nsystem\xe2\x80\x99s life cycle, with assistance from the Information System Security Officer. USPTO's AIS\nSecurity Planning TSG contains procedures and a template for preparing these plans.\n\nWe found that 30 percent of USPTO\xe2\x80\x99s security plans (representing 24 systems) were more than 3\nyears old. One of the systems is PTOnet, one of USPTO\xe2\x80\x99s major systems. It supports office\nautomation services and provides access to business applications and databases for more than\n8,000 employees. It has undergone significant changes over the years, yet its security plan has\nnot been updated since 1992. Without up-to-date security plans, USPTO has no assurance that\ncurrent security controls provide adequate protection.\n\nC.     Systems Are Not Accredited\n\nOMB Circular A-130 requires management officials to formally authorize the use of a system\nbefore it becomes operational. This authorization, also referred to as accreditation, denotes that\nthe manager understands and accepts the responsibility for the risks associated with putting the\nsystem into operation. The authorization is based on an assessment of the management,\noperational, and technical controls. Because the security plan establishes and documents the\nsystem protection requirements and the security controls in place, it forms the basis for\nmanagement's decision to authorize processing. A system should be re-authorized following any\nsignificant change or at least every 3 years. It should be done more often where risk and potential\nmagnitude of harm are high.\n\n\n\n\n                                                 9\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                                March 2002\n\n\nAt USPTO, accreditation is a group responsibility. The Project Manager, System Development\nManager, and Information System Security Officer are responsible for preparing and submitting\nan accreditation package that includes a statement certifying that security controls, features, and\nprocedures are activated and working as required. The CIO and the program sponsor have\napproval authority for accreditation and determine whether system controls are adequate and\nlevel of risk is acceptable based on an evaluation of this package. The AIS Security Planning\nTSG provides guidance on preparing the certification and accreditation package.\n\nWe found that none of USPTO's operational systems had a current authorization to process\n(accreditation). Although its Strategic Information Technology Plan, published in March 2001,\nestablished a milestone of accrediting all business-critical information systems by July 2005,\nUSPTO has made little progress in reaching this milestone. The lack of accreditation indicates\nthat management has neither formally reviewed the controls nor explicitly accepted the\nassociated risk. As a result, USPTO lacks assurance that its operational systems are adequately\nprotected. We therefore believe that USPTO needs to focus on and accelerate this milestone. It\nshould prioritize its systems according to risk and importance, accredit the high-risk systems by\nthe end of fiscal year 2002, and accredit all remaining systems by the end of fiscal year 2003.\n\nD.     Information Policies and Security Controls Are Not Periodically Reviewed\n\nA system\xe2\x80\x99s security degrades over time as technology evolves and as personnel, procedures, and\nsystem locations change. Reviews should assure that policies and security controls are\nfunctioning effectively. OMB Circular A-130 requires that agencies perform a formal\nmanagement review of controls at least every 3 years. Management authorization to process is\nbased on a review of these controls.\n\nThe Office of Information System Security is responsible for reviewing and verifying, through\ntest and evaluation, that the security controls, features, and procedures are in place and working\nas required before a system is accredited. The results of that review and verification are used as\nsupporting documentation to continue accreditation. However, USPTO noted in its self-\nassessments that these reviews were not performed, citing funding constraints as the reason.\nWithout these reviews, USPTO cannot ensure that security controls are appropriate and\naccomplish the intended purpose.\n\nE.     USPTO Needs to Determine Whether It Has a Potential Material Weakness\n\nOMB Circular A-130 instructs agencies to identify security deficiencies pursuant to OMB\nCircular A-123 if during the reviews it is determined that there is no assignment of security\nresponsibility, no security plan, or no accreditation. The agency\xe2\x80\x99s decision whether to report a\nmaterial weakness should depend on the risk and magnitude of harm that could result from the\nweakness. As noted in the previous section, failure to report significant information security\nweaknesses could result in unaddressed, unacceptably high security risks.\n\nAs previously discussed, and illustrated in Figure 4, USPTO lacks up-to-date security plans and\ncurrent accreditations for its operational systems. It needs to determine whether these\ndeficiencies are potential material weaknesses to be brought to the attention of the Department,\n\n\n\n                                                10\n\n\x0cU.S. Department of Commerce                                            Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                                   March 2002\n\n\nwhich would then make a determination of whether they are significant enough to be reported to\nthe President and the Congress. Additionally, USPTO should revise its information security\npolicy to identify information security deficiencies that are potential material weaknesses\npursuant to OMB Circular A-123 and FMFIA, and bring them to the attention of the Department.\n\n\n\n               100%                                                    % Incomplete\n                80%                                                    % Complete\n\n                60%\n                40%\n                20%\n                 0%\n                      Risk Assessments Security Plans      Systems\n                                                          Accredited\n\n\n\n\nFigure 4. Status of USPTO\xe2\x80\x99s Key Information Security Management Controls\n\nRecommendations\n\nWe recommend that the Under Secretary of Commerce for Intellectual Property and Director of\nthe United States Patent and Trademark Office ensure that PTO managers take the following\nactions:\n\n1. \t Conduct, document, and keep current, risk assessments for all operational systems.\n\n   USPTO has agreed with this recommendation and has contracted with a vendor to develop\n   procedures for certification and accreditation as well as perform these procedures on a\n   pilot group of USPTO\xe2\x80\x99s most critical systems.\n\n2. \t Develop up-to-date security plans for all operational systems.\n\n   USPTO has agreed with this recommendation and has established a schedule for\n   developing or updating security plans for all its operational systems. USPTO has noted\n   that significant progress has been made and that approximately 80% of their operational\n   systems now have current security plans.\n\n3. \t (a) Prioritize all operational systems according to risk and importance, (b) accredit all high-\n     risk systems by the end of fiscal year 2002, and (c) accredit all remaining systems by the end\n     of fiscal year 2003.\n\n   USPTO has agreed with this recommendation; however, its response indicates that\n   completing system accreditations according to the timetable we recommend will depend on\n   resource requirements and availability. Because of the importance of accreditation in\n\n\n\n                                                    11\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                               March 2002\n\n\n   ensuring that operational systems are adequately protected, we urge USPTO to give this\n   matter high priority when allocating resources.\n\n4. \t Update accreditations at least every 3 years or whenever a significant change in the system\n     occurs for all operational systems.\n\n   USPTO has agreed with this recommendation and will be updating the IT Security \n\n   Program Plan to include certifying and accrediting one-third of its AISs and \n\n   infrastructure systems each year after FY 2003. \n\n\n5. \t Implement a program stipulating periodic reviews and evaluations of the effectiveness of\n     information security controls.\n\n   USPTO has agreed with this recommendation. As part of the certification and\n   accreditation process, USPTO will review and evaluate the security controls related to each\n   system. USPTO will also annually out-source assessments of the infrastructure and other\n   operational systems.\n\n6. \t Revise USPTO\xe2\x80\x99s information security policy to include identifying information security\n     deficiencies that may potentially be a material weakness pursuant to OMB Circular A-123\n     and FMFIA and bringing such deficiencies to the attention of the Department.\n\n   USPTO has agreed with this recommendation and will develop an administrative order\n   that defines the process for identifying and reporting material weaknesses to the\n   Department.\n\n\n\n\n                                                12\n\n\x0cU.S. Department of Commerce                                          Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                                 March 2002\n\n\nIII.   Key Operational Controls Are Not Fully Implemented\n\nUSPTO\xe2\x80\x99s information security awareness, training, and education program and incident response\ncapability are incomplete. As regards training specifically, USPTO needs to provide security\nawareness refresher training and training in relevant and needed security skills and competency\nfor functional specialists and information security staff. Regarding incident response, USPTO\xe2\x80\x99s\nprocedures must incorporate a reporting function that inculcates the sharing of information with\nrelevant federal agencies.\n\nA.     Information Security Awareness, Training, and Education Are Inadequate\n\nInformation Security Awareness Requires Periodic Refreshing\n\nUSPTO\xe2\x80\x99s information security awareness program consists of new employee awareness training\nand published security awareness material. All new employees, as part of their orientation,\nreceive a briefing by the Office of Information Systems Security on the proper and ethical use of\nUSPTO\xe2\x80\x99s electronic information resources. In addition, USPTO has published two end user\nguides, Rules of the Road Services Guide and Computer Housekeeping Guide, which cover such\ntopics as virus protection, data security, rules of behavior, and handling sensitive data.\n\nThus USPTO\xe2\x80\x99s information security awareness program covers the areas identified by OMB\nCircular A-130 and other applicable guidance governing security awareness; however, awareness\ntraining is a one-time occurrence and only for new employees. Follow-on security awareness\ninformation is provided via the static log-on screen-warning banner with references to the Rules\nof the Road Services Guide. OMB Circular A-130 notes that attention to security tends to\ndissipate over time. NIST states that a stimulus used repeatedly will eventually be selectively\nignored. Therefore, USPTO should provide periodic refresher training to all employees to assure\nthat they continue to understand and abide by the applicable rules.\n\nInformation Security Training and Education Program Needs to Be Developed\n\nUnder the Computer Security Act, each agency is required to provide mandatory periodic\ntraining in computer security awareness and accepted computer practices for all employees\ninvolved with the management, use, or operation of each federal computer system within or\nunder the supervision of that agency. OMB Circular A-130 emphasizes these mandatory training\nrequirements and further requires that prior to being granted access to applications and\ninformation systems, all individuals must receive specialized training focusing on their\ninformation security responsibilities and established system rules. In addition, GISRA requires\nthat the agency CIO ensure the training of personnel who have significant responsibilities for\ninformation security.\n\nUSPTO\xe2\x80\x99s computer security training program consists of only information security awareness,\nwhich does not satisfy the supplementary training and education requirements. According to\nNIST, a formal information security training and education program focuses on providing the\nknowledge, skills, and abilities specific to an individual\xe2\x80\x99s roles and responsibilities relative to\ninformation systems.\n\n\n\n                                                 13\n\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                              March 2002\n\n\n\n\nAlthough information security officers and other employees with security responsibilities receive\nsome relevant training, that training is not sufficient, and USPTO lacks a formal training\nprogram to ensure that employees receive security training applicable to their job function.\nWithout such a program, USPTO cannot ensure that its security professionals and other\nemployees with security responsibilities understand and apply information security practices\neffectively. USPTO needs to establish a formal information security training program aimed at\nensuring that all personnel with significant security responsibilities understand information\nsecurity risks and their responsibilities. NIST Special Publication 800-16 provides guidance on\ninformation security training requirements. These training requirements were derived from the\ninformation security program requirements established in OMB Circular A-130.\n\nB.     Incident Response Reporting And Handling Procedures Need To Be Revised\n\nOMB Circular A-130 requires agencies to establish formal incident response mechanisms\ndedicated to evaluating and responding to security incidents in a manner that protects their own\ninformation and that of others who might be affected by the incident. The requirement stipulates\nthat policies and procedures be documented and unnecessary internal obstacles to the timely\nreporting of incidents to the appropriate authorities be removed. The intent of the incident\nhandling provision is to ensure that each agency has both the technical and procedural means in\nplace to detect and appropriately report security incidents and share information on common\nvulnerabilities.\n\nGISRA expands on the existing incident reporting policy by requiring agencies to notify and\nconsult with law enforcement officials, other offices and authorities, and the General Services\nAdministration\xe2\x80\x99s Federal Computer Incident Response Center (FedCIRC). OMB\xe2\x80\x99s\nimplementation guidance for GISRA states that policies and procedures should facilitate the\ntimely reporting to appropriate authorities within the agency, citing security officials and\nInspectors General as examples. Reporting of incidents not only is required, but increased\nsharing of information concerning attempted intrusions, threats, and common vulnerabilities\namong organizations has been identified by GAO and FedCIRC as a valuable tool the federal\ngovernment as a whole can use to identify and assist in detecting intrusions and securing federal\ninformation systems. An important aspect of information sharing is reporting to FedCIRC any\nevent violating an explicit or implied security policy. FedCIRC requires that agencies establish\npoints of contact to facilitate the reporting of incidents and the receipt of warnings and alerts\nfrom FedCIRC.\n\nWe found that USPTO\xe2\x80\x99s documentation of information security incident response procedures is\nconsistent with OMB Circular A-130. The documents appropriately identify roles and\nresponsibilities, define incident types and severity levels, and have reporting requirements.\nHowever, USPTO does not require the Information Systems Security Officer to notify or consult\nwith OIG and external security offices and authorities in accordance with OMB guidance. For\nthe period from October 2000 to October 2001, USPTO internally recorded several high-severity\ninformation security incidents, but did not report any to FedCIRC or OIG.\n\n\n\n\n                                               14\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                               March 2002\n\n\nUSPTO is aware that its current incident handling and reporting procedures do not meet GISRA\nrequirements and has drafted a new set of procedures to meet these requirements. USPTO needs\nto ensure that these procedures address the reporting of incidents to FedCIRC and to DOC OIG.\n\nRecommendations\n\nWe recommend that the Under Secretary of Commerce for Intellectual Property and Director of\nthe United States Patent and Trademark Office ensure that USPTO managers take the following\nactions:\n\n1. \t Provide information security awareness refresher training periodically to all employees.\n\n    USPTO has agreed with this recommendation. A joint program office working group was\n    established and has developed IT security user training awareness material that will be\n    provided to all USPTO employees in the next 2 months.\n\n2. \t Develop and implement, using NIST Special Publication 800-16 as a guide, a comprehensive\n     information security training and education program based on job functions, roles, and\n     responsibilities.\n\n    USPTO has agreed with this recommendation and has plans to develop a comprehensive\n    IT security training program using the NIST guidelines.\n\n3. \t Track, on an annual basis, the number of employees trained and the type and cost of training\n     provided.\n\n    USPTO has agreed with this recommendation and is working to create a database to track\n    personnel who have completed IT security training.\n\n4. \t Revise incident reporting procedures to incorporate notifying DOC OIG and FedCIRC\n\n    USPTO has agreed with this recommendation and is updating its incident reporting\n    procedures. USPTO has indicated that the Department has requested that incidents be\n    reported to them and that they will relay the information to FedCIRC. The OIG accepts\n    this as a suitable approach.\n\nIV. \t   Information Security Requirements Should Be Identified in Capital Asset Plans\n        and Linked to Security Cost Estimates\n\nUnder GISRA, agencies must identify and budget for security measures and resources needed to\nprotect IT investments, starting from the earliest planning stages and throughout the investment\nlife cycle. According to OMB Circular A-11, which governs preparing and submitting budget\nestimates, security costs are to be presented as a percentage of the total system cost or project\ninvestment in Exhibit 53, \xe2\x80\x9cAgency IT Investment Portfolio\xe2\x80\x9d; and capital asset plans must be\nprovided (Exhibit 300), indicating whether the project\xe2\x80\x99s security meets GISRA requirements and\ndescribing the security and privacy measures to be used.\n\n\n\n                                                15\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                               March 2002\n\n\n\n\nDespite GISRA requirements and the statement from OMB that it will not approve funding for\nprojects that do not include costs for meeting system-specific security needs, USPTO did not\nidentify security costs for any individual system in its fiscal year 2002 or 2003 budget\nsubmissions. Even if a security funding request had been included, the amount would have been\nquestionable because USPTO has not conducted an accurate, thorough analysis of current\nsecurity needs or the cost of satisfying them. Furthermore, fiscal year 2002-2007 budget\nformulation guidance provided by USPTO\xe2\x80\x99s Office of the Chief Information Officer does not\ncontain instructions for incorporating security costs into budget formulations.\n\nA lack of support within USPTO for information security funding has been cited as the reason\nfor deficiencies in such areas as system accreditations and training. We believe that poorly\nsubstantiated budget requests have contributed to this problem. Without sound analysis, USPTO\nwill not be able to justify funding that will be needed to plan and implement required security\nimprovements. Indeed, most of the improvements we observed occurred not as a result of\nproactive analysis and planning, but as a direct response to an OIG audit or evaluation or to\nspecific incidents.\n\nRecommendations\n\nWe recommend that the Under Secretary of Commerce for Intellectual Property and Director of\nthe United States Patent and Trademark Office ensure that USPTO managers take the following\nactions:\n\n1. \t Revise USPTO\xe2\x80\x99s budget guidance to include analyzing and presenting information security\n     costs and ensure that such costs are well substantiated.\n\n   USPTO has agreed with this recommendation and is formulating additional budget\n   guidance.\n\n2. \t Explicitly identify information security requirements and costs on a system-specific basis in\n     funding requests to OMB.\n\n   USPTO has agreed with this recommendation and is refining its budget estimates at the\n   system level for future submissions.\n\n\n\n\n                                                16\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                                March 2002\n\n\nV.\t    Information Security Could Be Improved by Proactive Attention\n       from Senior Management\n\nGISRA requires that the head of each agency ensure that the agency\xe2\x80\x99s information systems\xe2\x80\x99\nsecurity plans are carried out throughout the life cycle of each system to safeguard the privacy,\nconfidentiality, and security of federal information. The agency head is also responsible for\npromoting security as an integral component of that agency\xe2\x80\x99s business operations; agency\nmanagers and program officials are to ensure that effective security policies and procedures are\nimplemented throughout the life cycle of every IT system. As the foregoing discussion\ndocuments, information security has yet to become an integral component of USPTO\xe2\x80\x99s business\noperations. Thus, there is a lack of follow through in carrying out fundamental responsibilities,\nincluding\n\n\xef\xbf\xbd\xef\xbf\xbd\t identifying, assessing, and understanding risks to USPTO\xe2\x80\x99s IT assets;\n\n\xef\xbf\xbd\xef\xbf\xbd\t determining security needs commensurate with the levels of risk;\n\n\xef\xbf\xbd\xef\xbf\xbd\t planning, implementing, and testing controls that adequately address risk;\n\n\xef\xbf\xbd\xef\xbf\xbd\t promoting continued awareness of information security risk and providing appropriate\n    training;\n\n\xef\xbf\xbd\xef\xbf\xbd\t continually monitoring and evaluating policy and effectiveness of information security\n    practices; and\n\n\xef\xbf\xbd\xef\xbf\xbd\t integrating security into its capital planning and investment control process.\n\nOur evaluation demonstrates that information security has not received adequate attention at\nUSPTO and that significant weaknesses exist in planning, budgeting, implementation, review,\nand oversight of this area. Information security weaknesses throughout Commerce prompted\nOIG to identify strengthening information security as one of the Department\xe2\x80\x99s top 10\nmanagement challenges. Recognizing the severity of this issue, the Secretary of Commerce\nissued a memorandum to secretarial officers and heads of operating units in July 2001 stating\nthat information security should be given high priority and sufficient resources and that these\nofficials are expected to personally invest the time necessary to assure information security\nimprovements (Appendix B). The memorandum directed these officials to work closely with and\nsupport their operating unit CIOs with respect to information security and to allocate sufficient\nresources at the operating unit level necessary for the protection of Commerce data and systems.\nThis direction, however, was provided in the context of a departmental IT management\nrestructuring, and the memorandum was not sent to the head of USPTO. Because strengthening\ninformation security is a top management challenge that is directly applicable to USPTO, the\nmemorandum is relevant to USPTO.\n\nThe awareness, support, and proactive involvement of USPTO\xe2\x80\x99s senior management are,\nhowever, essential to establishing the environment and ensuring the resources needed to promote\nan effective information security program. We urge the Under Secretary of Commerce for\n\n\n                                                17\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                                March 2002\n\n\nIntellectual Property and Director of USPTO to make improving the information security\nprogram a high priority and to direct USPTO senior management officials to do the same. He\nshould ensure that these officials fully understand their information security responsibilities and\nmake certain that sufficient resources are allocated to this essential area.\n\nRecommendations\n\nWe recommend that the Under Secretary of Commerce for Intellectual Property and Director of\nthe United States Patent and Trademark Office ensure that senior USPTO management officials:\n\n1. Give information security high priority, sufficient resources, and their personal attention.\n\n   USPTO has agreed with this recommendation. The USPTO Chief Information Officer\n   and the Under Secretary of Commerce for Intellectual Property and Director will continue\n   to work together to ensure that appropriate attention and resources are allocated to the IT\n   Security Program. In addition, the USPTO Chief Information Officer will update the\n   Executive Committee every 2 months at its regular meeting.\n\n2. Work closely with the USPTO CIO to improve information security.\n\n   USPTO has agreed with this recommendation and has appointed an interim IT Security\n   Program Manager until the Office of Information Security is reorganized and IT security\n   vacancies filled.\n\n\n3. Be provided with explicitly defined and documented information security responsibilities.\n\n   USPTO has agreed with this recommendation and a new administrative order will define\n   information security responsibilities across USPTO.\n\n\n\n\n                                                 18\n\n\x0cU.S. Department of Commerce                                             Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                                    March 2002\n\n\n                                              APPENDIX A\n                                                                                                  2 Pages\n\n                     Additional Information Security Roles Within USPTO7\n\nAutomated Information System (AIS) Security Analyst - assists the Project Manager in\ndetermining specific legislative, procedural, security, and confidentiality requirements for the\nAIS.\n\nAIS Security Officer - assists the Project Manager with preparing the security information that\nis in the Operational Support Plan.\n\nDirector, Office of System Product Assurance - conducts independent tests of AIS system\ncontingency plans and the Information Technology Infrastructure Disaster Recovery Plan.\n\nUSPTO Business Area Program Sponsor - ensures, with the assistance of the CIO, that\ninformation systems process and handle sensitive information in a cost-effective manner.\n\nAIS Production Manager - appointed by the Business Area Program Sponsor, the Production\nManager is responsible for the security of the AIS and serves as the AIS Security Officer for\nsystems in operation.\n\nAIS Project Manager - appointed by the Business Area Program Sponsor, the AIS Project\nManager with the assistance of a System Development Manager conducts AIS sensitivity\nassessment, prepares the AIS Security Plan, identifies and prioritizes AIS security requirements,\nincorporates security training requirements in AIS training plan, serves as AIS Security Officer\nuntil Business Area Program Sponsor appoints a Production Manager or another business area\nemployee to serve in the role, ensures that funding is available, and obtains contractor support to\nconduct the risk assessment.\n\nSystem Development Manager - appointed by the CIO, the System Development Manager is\nresponsible for designing, developing and deploying an AIS under the business direction of the\nProject Manager; also, works with the Information Systems Security Officer to ensure that\nadequate application controls are built into the AIS.\n\nOffice of Information Systems Security (OISS) Duty Officer - serves as a single point of\ncontact on a rotational basis for user ID issues and other routine security issues, coordinates\nincident response activities.\n\nContracting Officer Technical Representatives - coordinates with Task Order Manager(s) for\nall security duties, initiates background check for contractors performing system administration.\n\n\n\n\n7\n US Patent and Trademark Office. USPTO Automated Information System Security Control Manual, Technical\nStandard and Guideline, USPTO IT-212.2-15. Washington, DC: US Patent and Trademark Office.\n\n\n                                                    19\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                                               March 2002\n\n\nOffice of System and Network Management - establishes and monitors operating system and\nhardware baseline information, reviews system logs, and reports anomalies to Office of\nInformation Systems Security.\n\nUSPTO's Office of Security - performs national agency check, conducting inquiries regarding\nemployees and contractors as required by federal policies and position determination.\n\nOffice of Human Resources - designates, with the assistance of the managers, the sensitivity or\nrisk levels of positions in the operating unit; sends a list of departing USPTO personnel to the\nOffice of Information Systems Security and the Office of System and Network Management;\nnotifies the Office of System and Network Management and the Office of Information Systems\nSecurity of any personnel issues that may have a direct or indirect affect to information security.\n\n\n\n\n                                                20\n\n\x0cU.S. Department of Commerce                 Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                        March 2002\n\n\n                              APPENDIX B\n\n\n\n\n\n                                  21\n\n\x0cU.S. Department of Commerce                    Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                           March 2002\n\n\n\n\n\n                              ATTACHMENT A \n\n\n\n\n\n                                   22\n\n\x0cU.S. Department of Commerce         Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                March 2002\n\n\n\n\n\n                              23\n\n\x0cU.S. Department of Commerce         Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                March 2002\n\n\n\n\n\n                              24\n\n\x0cU.S. Department of Commerce         Final Inspection Report OSE-14816 \n\nOffice of Inspector General                                March 2002\n\n\n\n\n\n                              25\n\n\x0c"